Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: [NSE] Release of nmap nse vulscan 0.6
From: Henri Salo <henri () nerv fi>
Date: Sun, 15 May 2011 16:30:05 +0300

On Thu, Jun 03, 2010 at 09:21:58AM +0200, Marc Ruef wrote:

As I have announced in my post to the nmap-dev mailing list in
mid-May, I wrote another nse script[1]. This script adds the
functionality of a basic (derivative) vulnerability scanner. The
first public release can be downloaded at my personal web site at:


You have to create a sub-folder "vulscan" in your scripts directory
of your nmap installation. Put the script and the txt files into
that folder. Afterwards, you are able to execute the script with the
following command:

   nmap -PN -sS -sV --script=vulscan -p80 www.scip.ch

It is a requirement to use the option -sV to enable version
detection. This data gathering is used to lookup potential
vulnerabilities within the local data base.

As data base a (improved) edition of the osvdb csv/txt export is
used. It is possible to update this data base yourself by
downloading the current export at the project web site and to
override the files in your vulscan folder. [2]

An example of an output is shown below. As you can see, the osvdb id
and the title of the vulnerability is shown for every port/service
that could be fingerprinted and matched within the data base (in
this case Exim smtpd).

25/tcp open  smtp    syn-ack Exim smtpd 4.69
| vulscan: [5330] Exim Configuration File Variable Overflow
| [5896] Exim sender_verify Function Remote Overflow
| [5897] Exim header_syntax Function Remote Overflow
| [5930] Exim Parenthesis File Name Filter Bypass
| [12726] Exim -be Command Line Option host_aton Function Local Overflow
| [12727] Exim SPA Authentication spa_base64_to_bits Function Remote
|_[12946] Exim -bh Command Line Option dns_build_reverse Function
Local Overflow

The current implementation uses, if executed with no further
options, a full-text search of the title field in the
vulnerabilities table to determine affected products. The reason for
this simple approach called title lookup is, that nmap and osvdb do
not share the same naming conventions for products and osvdb does
not provide full support of the linking between products and
vulnerabilities. This mode may cause some false-positives (e.g.
Apache httpd). [3, 4]

The script supports another mode called correlations lookup which
can be enabled with the following argument:

   nmap -PN -sS -sV --script=vulscan --script-args
vulscancorrelation=1 -p80 www.scip.ch

In this case the determined product is looked up in the products
table of osvdb. Further links to the vulnerabilities are determined.
This causes a lot less false-positives. But such a correlation
lookup takes more time and because of missing data there might be
some false-negatives. Additional details about the current
implementation is available at [5] (German only).

As you can see in the comments of the scripts, there are some todos.
For example, I would like to add support for other data bases as
well (e.g. SecurityFocus, CVE and Secunia). And the correlation mode
might also support taking the version of an installation into
account (because there are some further differences between
nmap/osvdb this will be another challenge). I am going to publish
new releases of the script at my web site and announce them at my
twitter feed[6].

I would like to thank a number of people which supported me
developing this script: Stefan Friedli, Simon Zumstein, David
Fifield and Doggy Dog. If there are any suggestions, feature
requests or bug reports, please let me know.



[1] http://seclists.org/nmap-dev/2010/q2/527
[2] http://osvdb.org/database_info
[3] http://seclists.org/nmap-dev/2010/q2/547
[4] http://seclists.org/nmap-dev/2010/q2/564
[5] http://www.scip.ch/?labs.20100603
[6] http://twitter.com/mruef/

Marc Ruef | marc.ruef () computec ch | http://www.computec.ch/mruef/

I get massive ammounts of false-positive with this script. For example I am using patched up-to-date version of Debian 
stable OpenSSH: OpenSSH 5.1p1 Debian 5 (protocol 2.0)

Results I get with vulscancorrelation=1:

22/tcp   open  ssh        OpenSSH 5.1p1 Debian 5 (protocol 2.0)
| vulscan: [781] OpenSSH Kerberos TGT/AFS Token Passing Remote Overflow
| [1853] OpenSSH Symbolic Link 'cookies' File Removal
| [2112] OpenSSH Reverse DNS Lookup Bypass
| [2557] OpenSSH Multiple Buffer Management Multiple Overflows
| [3938] OpenSSL and OpenSSH /dev/random Check Failure
| [4536] OpenSSH Portable AIX linker Privilege Escalation
| [5408] OpenSSH echo simulation Information Disclosure
| [5536] OpenSSH sftp-server Restricted Keypair Restriction Bypass
| [6071] OpenSSH SSHv1 PAM Challenge-Response Authentication Privilege Escalation
| [6245] OpenSSH SKEY/BSD_AUTH Challenge-Response Remote Overflow
| [6248] Multiple SSH Client ssh-agent Forwarding Information Disclosure
| [6601] OpenSSH *realloc() Unspecified Memory Errors
| [16567] OpenSSH Privilege Separation LoginGraceTime DoS
| [29266] OpenSSH GSSAPI Authentication Abort Username Enumeration
| [29152] OpenSSH Identical Block Packet DoS
| [32721] OpenSSH Username Password Complexity Account Enumeration
| [22692] OpenSSH scp Command Line Filename Processing Command Injection
| [9562] OpenSSH Default Configuration Anon SSH Service Port Bounce Weakness
| [3456] OpenSSH buffer_append_space() Heap Corruption
| [29264] OpenSSH Signal Handler Pre-authentication Race Condition Code Execution
| [34600] OpenSSH S/KEY Authentication Account Enumeration
| [730] OpenSSH Channel Code Off by One Remote Privilege Escalation
| [2140] OpenSSH w/ PAM Username Validity Timing Attack
| [2114] Multiple SSH Client X11 Forwarding Information Disclosure
| [795] Multiple Vendor SSH CRC-32 detect_attack() Function Overflow
| [2109] OpenSSH sshd Root Login Timing Side-Channel Weakness
| [504] OpenSSH SSHv2 Public Key Authentication Bypass
| [839] OpenSSH PAMAuthenticationViaKbdInt Challenge-Response Remote Overflow
| [642] OpenSSH Multiple Key Type ACL Bypass
| [341] OpenSSH UseLogin Local Privilege Escalation
| [688] OpenSSH UseLogin Environment Variable Local Command Execution
| [6072] OpenSSH PAM Conversation Function Stack Modification
| [5113] OpenSSH YP Netgroups Authentication Bypass
| [53021] OpenSSH on ftp.openbsd.org Trojaned Distribution
| [9550] OpenSSH scp Traversal Arbitrary File Overwrite
| [69658] OpenSSH J-PAKE Public Parameter Validation Shared Secret Authentication Bypass
|_[70873] OpenSSH Legacy Certificates Stack Memory Disclosure

What is the correct way not to get false-positives as otherwise this script does not help at all :)

Best regards,
Henri Salo
Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
  • Re: [NSE] Release of nmap nse vulscan 0.6 Henri Salo (May 15)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]